[cozystack-operator] Add deployment files

[kvaps]

Signed-off-by: Andrei Kvapil kvapss@gmail.com

What this PR does

Release note

[cozystack-operator] Add deployment files

Summary by CodeRabbit

• New Features

  • Deployable CozyStack operator with configurable enablement, image, and platform-source settings
  • Operator-managed package source and variant-based platform installation options

• Chores

  • Release/packaging targets added to automate image and package publishing and update manifests
  • Configuration schema extended to include operator-related fields and versioning controls

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

📝 Walkthrough

Walkthrough

Adds an operator-based deployment path: Makefile targets to build/publish operator and packages (updating values.yaml), a Dockerfile for the operator, Helm templates to conditionally deploy the operator, gated CRDs, and values/example manifests to toggle between operator-managed and direct deployments.

Changes

Cohort / File(s)	Summary
Build / CI targets packages/core/installer/Makefile	Added update-version (set cozystackVersion in values.yaml), image-operator (build/push operator image, record digest, update values.yaml), and image-packages (depends on update-version; publish platform-packages, capture digest, update cozystackOperator.platformSourceRef/URL in values.yaml)
Operator image packages/core/installer/images/cozystack-operator/Dockerfile, packages/core/installer/images/cozystack-operator/Dockerfile.dockerignore	New multi-stage Dockerfile building a static cozystack-operator binary (golang:1.25-alpine → alpine:3.22); dockerignore whitelists source and module files for build context.
Helm templates & CRDs packages/core/installer/templates/cozystack-operator.yaml, packages/core/installer/templates/crds.yaml	New operator template: Namespace, ServiceAccount, ClusterRoleBinding, Deployment, and PackageSource with three variants; crds.yaml changed from commented-out to conditionally rendered when .Values.cozystackOperator.enabled is true.
Conditional direct deployment packages/core/installer/templates/cozystack.yaml	Wrapped existing direct resources in {{- if not .Values.cozystackOperator.enabled }} so resources are omitted when operator is enabled.
Values & example manifest packages/core/installer/values.yaml, packages/core/installer/example/platform.yaml	Added cozystackOperator mapping with enabled, image, platformSourceUrl, platformSourceRef, cozystackVersion; example platform.yaml adds a Package manifest for cozystack.cozystack-platform (variant isp-full with publishing and OIDC fields).

Sequence Diagram(s)

sequenceDiagram
    participant Dev as DevOps
    participant Make as Makefile
    participant Docker as Docker/Build
    participant Reg as Registry
    participant Helm as Helm
    participant K8s as Kubernetes

    rect rgb(210,240,220)
    Note over Dev,Reg: Build & publish operator/packages
    Dev->>Make: make update-version TAG=vX.Y
    Make->>Make: write cozystackVersion to values.yaml
    Dev->>Make: make image-operator
    Make->>Docker: build cozystack-operator image
    Docker->>Reg: push image -> returns digest
    Make->>Make: update cozystackOperator.image (digest) in values.yaml
    Dev->>Make: make image-packages
    Make->>Reg: publish platform-packages -> returns digest
    Make->>Make: update cozystackOperator.platformSourceUrl/ref in values.yaml
    end

    rect rgb(230,230,255)
    Note over Helm,K8s: Deploy using Helm
    Dev->>Helm: helm install/upgrade --values values.yaml
    alt .Values.cozystackOperator.enabled == true
        Helm->>K8s: create CRDs, Namespace, Deployment, PackageSource
        K8s->>K8s: operator reconciles PackageSource -> installs packages
    else
        Helm->>K8s: create direct Cozystack resources (templates/cozystack.yaml)
    end
    end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

🐰
I hopped through Makefiles, tags held tight,
Built an operator under starlit night.
Digests tucked in values neat and small,
Helm decides if operator answers the call.
A carrot of CI, packages rise — hop, deploy, all!

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title '[cozystack-operator] Add deployment files' clearly and specifically describes the main change—introducing deployment-related files for the cozystack-operator component, which is confirmed by the raw summary showing new Dockerfile, Kubernetes manifests, Helm templates, and Makefile targets.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch cozystack-operator-manifests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Summary of Changes

Hello @kvaps, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request lays the groundwork for deploying the Cozystack platform using a dedicated operator. It introduces all necessary Kubernetes deployment files, Docker build configurations, and Helm value adjustments to enable the cozystack-operator to manage the installation and lifecycle of Cozystack components, moving towards a more automated and robust deployment model.

Highlights

• Introduction of Cozystack Operator Deployment: New Kubernetes manifests have been added to deploy the cozystack-operator, including its dedicated namespace, service account, cluster role binding, deployment configuration, and a PackageSource definition for managing platform components.
• Build and Packaging Automation: New Makefile targets (update-version, image-operator, image-packages) have been introduced to automate the building of the cozystack-operator Docker image, pushing platform packages as OCI artifacts, and updating relevant version and source information in values.yaml.
• Conditional Deployment Logic: The existing cozystack resources and CRDs are now conditionally deployed based on a new cozystackOperator.enabled flag, allowing for a phased transition or alternative deployment strategy where the operator manages the platform components.
• New Configuration Options: A new cozystackOperator section has been added to values.yaml, providing configurable options for the operator's image, platform source, and Cozystack version.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces deployment files for the cozystack-operator, including a Dockerfile, Kubernetes manifests, and Makefile targets. The changes are a good step towards automating the operator's deployment. However, I've identified several critical and high-severity issues that should be addressed. The most significant concerns are security-related in the Kubernetes manifests, such as granting cluster-admin permissions and using a privileged namespace, which violate the principle of least privilege. Additionally, there's a critical path error in a Helm template that will prevent CRDs from being installed, and the Dockerfile uses a non-existent Go version and runs as root. My review includes specific suggestions to fix these issues.

[coderabbitai]

Actionable comments posted: 0

♻️ Duplicate comments (9)

packages/core/installer/images/cozystack-operator/Dockerfile (3)

1-1: Verify Go version exists.

The Dockerfile specifies golang:1.25-alpine, but this version may not exist yet. Please verify that Go 1.25 has been released and that the corresponding Docker image is available.

What is the latest stable version of Go as of December 2025?

---

19-19: Verify Alpine version stability.

The base image uses alpine:3.22, which may be an unreleased or edge version. For production deployments, it's recommended to use a stable Alpine version.

What is the latest stable version of Alpine Linux as of December 2025?

---

19-23: Run container as non-root user.

The container runs as root, which is a security risk. Following the principle of least privilege, containers should run as a non-root user to limit the potential impact of a container breakout vulnerability.

🔎 Proposed fix

-FROM alpine:3.22
+FROM alpine:3.22

+RUN addgroup -S appgroup && adduser -S appuser -G appgroup

 COPY --from=builder /cozystack-operator /usr/bin/cozystack-operator

+USER appuser
+
 ENTRYPOINT ["/usr/bin/cozystack-operator"]

packages/core/installer/images/cozystack-operator/Dockerfile.dockerignore (1)

1-3: Fix misleading comment and remove leftover rule.

The comment states "Exclude everything except src directory" but the file includes many other directories. Additionally, the !src/** rule on line 3 appears to be a leftover from a different project structure, as there is no src directory at the root.

🔎 Proposed fix

-# Exclude everything except src directory
+# Exclude everything except Go source files and modules
 *
-!src/**
 !api/**
 !cmd/**
 !hack/**
 !internal/**
 !packages/**
 !pkg/**
 !scripts/**
 !go.mod
 !go.sum

packages/core/installer/Makefile (1)

55-57: Refactor fragile command substitution with side effects.

The rm command executes inside the awk command substitution, which is fragile and difficult to debug. If DIGEST is empty (e.g., if the log pattern doesn't match), the script continues silently without updating values.yaml, potentially causing deployment issues.

🔎 Proposed fix

	export REPO="oci://$(REGISTRY)/platform-packages"; \
-	export DIGEST=$$(awk -F@ '/artifact successfully pushed/ {print $$2}' images/cozystack-packages.log; rm -f images/cozystack-packages.log); \
-		 test -n "$$DIGEST" && yq -i '.cozystackOperator.platformSource = (strenv(REPO) + "@" + strenv(DIGEST))' values.yaml
+	export DIGEST=$$(awk -F@ '/artifact successfully pushed/ {print $$2}' images/cozystack-packages.log); \
+	rm -f images/cozystack-packages.log; \
+	if [ -z "$$DIGEST" ]; then \
+		echo "Error: Failed to extract digest from flux push output"; \
+		exit 1; \
+	fi; \
+	yq -i '.cozystackOperator.platformSource = (strenv(REPO) + "@" + strenv(DIGEST))' values.yaml

packages/core/installer/templates/cozystack-operator.yaml (4)

9-9: Avoid privileged namespace enforcement.

Setting pod-security.kubernetes.io/enforce: privileged disables all pod security admission controls for the namespace, allowing pods to run with full host privileges. This is a significant security risk and should be avoided.

Consider using a more restrictive policy (e.g., baseline or restricted) or applying elevated privileges only to specific pods that require them.

---

17-28: Grant minimal required permissions instead of cluster-admin.

Binding the service account to cluster-admin grants unrestricted superuser access to the entire cluster, violating the principle of least privilege. The operator should be granted only the specific permissions it requires.

Create a dedicated ClusterRole with the minimum necessary permissions (e.g., managing specific CRDs, reading Secrets, managing Deployments) and bind the service account to that role instead.

---

58-58: Clarify empty health-probe-bind-address.

Providing an empty value for --health-probe-bind-address is ambiguous. It's unclear whether this disables the health probe or causes it to fall back to a default, which could lead to unexpected behavior in health checking.

🔎 Suggested fix

-        - --health-probe-bind-address=
+        - --health-probe-bind-address=:8081

---

70-70: Justify hostNetwork requirement.

Using hostNetwork: true grants the pod access to the node's network interface, bypassing network policies and increasing the attack surface. This should only be used if absolutely necessary and the reasons should be clearly documented.

Please verify whether hostNetwork is truly required for the operator to function, or if it can operate without this elevated privilege.

🧹 Nitpick comments (1)

packages/core/installer/example/platform.yaml (1)

12-17: Use placeholder values in example files.

This example file contains what appears to be real infrastructure values (dev5.infra.aenix.org and specific IP addresses). Example files should use placeholder or example values to avoid confusion and prevent accidental copy-paste of production infrastructure details.

🔎 Suggested placeholders

        publishing:
-          host: "dev5.infra.aenix.org"
-          apiServerEndpoint: "https://api.dev5.infra.aenix.org"
+          host: "example.com"
+          apiServerEndpoint: "https://api.example.com"
          externalIPs:
-          - 10.4.0.94
-          - 10.4.0.179
-          - 10.4.0.26
+          - 10.0.0.1
+          - 10.0.0.2
+          - 10.0.0.3

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between d7931fd and b049f01.

📒 Files selected for processing (8)

• packages/core/installer/Makefile
• packages/core/installer/example/platform.yaml
• packages/core/installer/images/cozystack-operator/Dockerfile
• packages/core/installer/images/cozystack-operator/Dockerfile.dockerignore
• packages/core/installer/templates/cozystack-operator.yaml
• packages/core/installer/templates/cozystack.yaml
• packages/core/installer/templates/crds.yaml
• packages/core/installer/values.yaml

🧰 Additional context used

📓 Path-based instructions (2)

packages/core/**

📄 CodeRabbit inference engine (AGENTS.md)

Use Helm Chart umbrella pattern with vendored upstream charts in charts/ directory

Files:

• packages/core/installer/templates/cozystack.yaml
• packages/core/installer/images/cozystack-operator/Dockerfile
• packages/core/installer/images/cozystack-operator/Dockerfile.dockerignore
• packages/core/installer/values.yaml
• packages/core/installer/Makefile
• packages/core/installer/example/platform.yaml
• packages/core/installer/templates/cozystack-operator.yaml
• packages/core/installer/templates/crds.yaml

**/*.yaml

📄 CodeRabbit inference engine (AGENTS.md)

Do NOT directly edit upstream Helm charts in vendored charts directory; use proper chart vendoring mechanisms

Files:

• packages/core/installer/templates/cozystack.yaml
• packages/core/installer/values.yaml
• packages/core/installer/example/platform.yaml
• packages/core/installer/templates/cozystack-operator.yaml
• packages/core/installer/templates/crds.yaml

🧠 Learnings (8)

📚 Learning: 2025-12-25T09:45:26.511Z

Learnt from: CR
Repo: cozystack/cozystack PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-12-25T09:45:26.511Z
Learning: Applies to **/*.go : Do NOT manually edit vendor/ directory or auto-generated files (zz_generated.*.go)

Applied to files:

• packages/core/installer/images/cozystack-operator/Dockerfile.dockerignore

📚 Learning: 2025-12-25T09:45:26.511Z

Learnt from: CR
Repo: cozystack/cozystack PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-12-25T09:45:26.511Z
Learning: Applies to pkg/**/*.go : Follow controller-runtime patterns and kubebuilder style for Go code in pkg directory

Applied to files:

• packages/core/installer/images/cozystack-operator/Dockerfile.dockerignore

📚 Learning: 2025-12-25T09:45:26.511Z

Learnt from: CR
Repo: cozystack/cozystack PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-12-25T09:45:26.511Z
Learning: Applies to internal/**/*.go : Follow controller-runtime patterns and kubebuilder style for Go code in internal directory

Applied to files:

• packages/core/installer/images/cozystack-operator/Dockerfile.dockerignore

📚 Learning: 2025-12-25T09:45:26.511Z

Learnt from: CR
Repo: cozystack/cozystack PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-12-25T09:45:26.511Z
Learning: Applies to cmd/**/*.go : Follow controller-runtime patterns and kubebuilder style for Go code in cmd directory

Applied to files:

• packages/core/installer/images/cozystack-operator/Dockerfile.dockerignore

📚 Learning: 2025-12-25T09:45:26.511Z

Learnt from: CR
Repo: cozystack/cozystack PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-12-25T09:45:26.511Z
Learning: Applies to go.mod : Do NOT modify go.mod manually; use `go get` command instead

Applied to files:

• packages/core/installer/images/cozystack-operator/Dockerfile.dockerignore

📚 Learning: 2025-12-25T09:45:26.511Z

Learnt from: CR
Repo: cozystack/cozystack PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-12-25T09:45:26.511Z
Learning: Applies to go.sum : Do NOT modify go.sum manually; use `go get` command instead

Applied to files:

• packages/core/installer/images/cozystack-operator/Dockerfile.dockerignore

📚 Learning: 2025-06-26T04:29:24.830Z

Learnt from: NickVolynkin
Repo: cozystack/cozystack PR: 1117
File: packages/apps/mysql/Makefile:8-8
Timestamp: 2025-06-26T04:29:24.830Z
Learning: The cozystack project uses yq v4+ on their CI runner, so yq v4 syntax (-o json --indent 4) is compatible and version checks are not needed.

Applied to files:

• packages/core/installer/values.yaml

📚 Learning: 2025-12-25T09:45:26.511Z

Learnt from: CR
Repo: cozystack/cozystack PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-12-25T09:45:26.511Z
Learning: Applies to api/** : Define Kubernetes CRDs in the api directory following kubebuilder conventions

Applied to files:

• packages/core/installer/templates/crds.yaml

🪛 Hadolint (2.14.0)

packages/core/installer/images/cozystack-operator/Dockerfile.dockerignore

[error] 2-2: unexpected '*'
expecting '#', '', ADD, ARG, CMD, COPY, ENTRYPOINT, ENV, EXPOSE, FROM, HEALTHCHECK, LABEL, MAINTAINER, ONBUILD, RUN, SHELL, STOPSIGNAL, USER, VOLUME, WORKDIR, a pragma, at least one space, or end of input

(DL1000)

🪛 YAMLlint (1.37.1)

packages/core/installer/templates/cozystack.yaml

[error] 1-1: syntax error: expected the node content, but found '-'

(syntax)

packages/core/installer/templates/cozystack-operator.yaml

[error] 1-1: syntax error: expected the node content, but found '-'

(syntax)

packages/core/installer/templates/crds.yaml

[error] 1-1: syntax error: expected the node content, but found '-'

(syntax)

🔇 Additional comments (7)

packages/core/installer/templates/crds.yaml (1)

1-6: LGTM! Conditional CRD rendering is correctly implemented.

The CRDs are now rendered only when the operator is enabled, and the path correctly references definitions/*.yaml. The conditional logic aligns with the operator enablement pattern used throughout the PR.

packages/core/installer/templates/cozystack.yaml (1)

1-81: LGTM! Conditional rendering provides backwards compatibility.

The inverse condition (if not .Values.cozystackOperator.enabled) correctly ensures this traditional deployment is rendered only when the operator is disabled, providing a clean mutual exclusion with the operator-based deployment.

packages/core/installer/values.yaml (2)

3-7: LGTM! Image digests provide immutability.

The new cozystackOperator configuration is well-structured with sensible defaults. Using image digests (sha256) alongside tags provides both human-readable references and cryptographic verification of image contents, which is a security best practice.

---

7-7: Consider implications of "latest" for cozystackVersion.

The default value latest may lead to non-deterministic deployments if the operator resolves this at runtime. For production stability, consider whether a specific version should be set by default or if this is intentionally dynamic.

packages/core/installer/Makefile (2)

31-33: LGTM! Clean version update target.

The update-version target is straightforward and correctly updates the cozystackVersion field using yq.

---

35-44: LGTM! Follows existing image build pattern.

The image-operator target correctly follows the same pattern as the existing image-cozystack target, including Docker buildx, metadata extraction, and values.yaml updates.

packages/core/installer/templates/cozystack-operator.yaml (1)

79-118: LGTM! PackageSource structure is well-organized.

The PackageSource CRD definition with three variants (default, isp-full, isp-hosted) is well-structured and properly references the OCIRepository source. Each variant correctly specifies its install configuration and valuesFiles path.

[coderabbitai]

Actionable comments posted: 2

♻️ Duplicate comments (1)

packages/core/installer/images/cozystack-operator/Dockerfile.dockerignore (1)

1-3: Misleading comment and non-existent directory reference (already flagged).

The past review already identified that line 1's comment is misleading and line 3 references a non-existent src directory. This should be corrected as previously suggested.

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between b049f01 and c43db3b.

📒 Files selected for processing (8)

• packages/core/installer/Makefile
• packages/core/installer/example/platform.yaml
• packages/core/installer/images/cozystack-operator/Dockerfile
• packages/core/installer/images/cozystack-operator/Dockerfile.dockerignore
• packages/core/installer/templates/cozystack-operator.yaml
• packages/core/installer/templates/cozystack.yaml
• packages/core/installer/templates/crds.yaml
• packages/core/installer/values.yaml

🚧 Files skipped from review as they are similar to previous changes (3)

• packages/core/installer/example/platform.yaml
• packages/core/installer/Makefile
• packages/core/installer/images/cozystack-operator/Dockerfile

🧰 Additional context used

📓 Path-based instructions (2)

packages/core/**

📄 CodeRabbit inference engine (AGENTS.md)

Use Helm Chart umbrella pattern with vendored upstream charts in charts/ directory

Files:

• packages/core/installer/values.yaml
• packages/core/installer/templates/cozystack-operator.yaml
• packages/core/installer/images/cozystack-operator/Dockerfile.dockerignore
• packages/core/installer/templates/cozystack.yaml
• packages/core/installer/templates/crds.yaml

**/*.yaml

📄 CodeRabbit inference engine (AGENTS.md)

Do NOT directly edit upstream Helm charts in vendored charts directory; use proper chart vendoring mechanisms

Files:

• packages/core/installer/values.yaml
• packages/core/installer/templates/cozystack-operator.yaml
• packages/core/installer/templates/cozystack.yaml
• packages/core/installer/templates/crds.yaml

🧠 Learnings (10)

📚 Learning: 2025-06-26T04:29:24.830Z

Learnt from: NickVolynkin
Repo: cozystack/cozystack PR: 1117
File: packages/apps/mysql/Makefile:8-8
Timestamp: 2025-06-26T04:29:24.830Z
Learning: The cozystack project uses yq v4+ on their CI runner, so yq v4 syntax (-o json --indent 4) is compatible and version checks are not needed.

Applied to files:

• packages/core/installer/values.yaml

📚 Learning: 2025-12-25T15:24:47.730Z

Learnt from: kvaps
Repo: cozystack/cozystack PR: 1760
File: packages/core/platform/sources/velero.yaml:20-23
Timestamp: 2025-12-25T15:24:47.730Z
Learning: In Velero PackageSource configurations, the privileged: true setting is required for node-agents to function properly with hostPath access for backup operations.

Applied to files:

• packages/core/installer/templates/cozystack-operator.yaml

📚 Learning: 2025-12-25T15:24:06.314Z

Learnt from: kvaps
Repo: cozystack/cozystack PR: 1760
File: packages/core/platform/sources/goldpinger.yaml:20-23
Timestamp: 2025-12-25T15:24:06.314Z
Learning: In the cozystack platform, Goldpinger is configured with privileged: true because it runs with hostNetwork=true to properly monitor network connectivity between nodes.

Applied to files:

• packages/core/installer/templates/cozystack-operator.yaml

📚 Learning: 2025-12-25T09:45:26.524Z

Learnt from: CR
Repo: cozystack/cozystack PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-12-25T09:45:26.524Z
Learning: Applies to **/*.go : Do NOT manually edit vendor/ directory or auto-generated files (zz_generated.*.go)

Applied to files:

• packages/core/installer/images/cozystack-operator/Dockerfile.dockerignore

📚 Learning: 2025-12-25T09:45:26.524Z

Learnt from: CR
Repo: cozystack/cozystack PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-12-25T09:45:26.524Z
Learning: Applies to pkg/**/*.go : Follow controller-runtime patterns and kubebuilder style for Go code in pkg directory

Applied to files:

• packages/core/installer/images/cozystack-operator/Dockerfile.dockerignore

📚 Learning: 2025-12-25T09:45:26.524Z

Learnt from: CR
Repo: cozystack/cozystack PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-12-25T09:45:26.524Z
Learning: Applies to internal/**/*.go : Follow controller-runtime patterns and kubebuilder style for Go code in internal directory

Applied to files:

• packages/core/installer/images/cozystack-operator/Dockerfile.dockerignore

📚 Learning: 2025-12-25T09:45:26.524Z

Learnt from: CR
Repo: cozystack/cozystack PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-12-25T09:45:26.524Z
Learning: Applies to cmd/**/*.go : Follow controller-runtime patterns and kubebuilder style for Go code in cmd directory

Applied to files:

• packages/core/installer/images/cozystack-operator/Dockerfile.dockerignore

📚 Learning: 2025-12-25T09:45:26.524Z

Learnt from: CR
Repo: cozystack/cozystack PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-12-25T09:45:26.524Z
Learning: Applies to go.mod : Do NOT modify go.mod manually; use `go get` command instead

Applied to files:

• packages/core/installer/images/cozystack-operator/Dockerfile.dockerignore

📚 Learning: 2025-12-25T09:45:26.524Z

Learnt from: CR
Repo: cozystack/cozystack PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-12-25T09:45:26.524Z
Learning: Applies to go.sum : Do NOT modify go.sum manually; use `go get` command instead

Applied to files:

• packages/core/installer/images/cozystack-operator/Dockerfile.dockerignore

📚 Learning: 2025-12-25T09:45:26.524Z

Learnt from: CR
Repo: cozystack/cozystack PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-12-25T09:45:26.524Z
Learning: Applies to api/** : Define Kubernetes CRDs in the api directory following kubebuilder conventions

Applied to files:

• packages/core/installer/templates/crds.yaml

🪛 Hadolint (2.14.0)

packages/core/installer/images/cozystack-operator/Dockerfile.dockerignore

[error] 2-2: unexpected '*'
expecting '#', '', ADD, ARG, CMD, COPY, ENTRYPOINT, ENV, EXPOSE, FROM, HEALTHCHECK, LABEL, MAINTAINER, ONBUILD, RUN, SHELL, STOPSIGNAL, USER, VOLUME, WORKDIR, a pragma, at least one space, or end of input

(DL1000)

🪛 YAMLlint (1.37.1)

packages/core/installer/templates/cozystack-operator.yaml

[error] 1-1: syntax error: expected the node content, but found '-'

(syntax)

packages/core/installer/templates/cozystack.yaml

[error] 1-1: syntax error: expected the node content, but found '-'

(syntax)

packages/core/installer/templates/crds.yaml

[error] 1-1: syntax error: expected the node content, but found '-'

(syntax)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Build

🔇 Additional comments (4)

packages/core/installer/templates/cozystack.yaml (1)

1-1: LGTM: Conditional gating ensures mutual exclusivity.

The conditional wrapper correctly ensures that the direct cozystack deployment resources are only rendered when the operator is disabled, maintaining mutual exclusivity with the operator-based deployment path.

Also applies to: 81-81

packages/core/installer/values.yaml (1)

3-8: LGTM: Sensible defaults with digest pinning.

The new cozystackOperator configuration section provides sensible defaults (disabled by default for backward compatibility), proper image digest pinning for security, and structured platform source references.

packages/core/installer/templates/crds.yaml (1)

1-6: LGTM: CRD gating aligned with operator deployment.

The conditional rendering of CRDs when the operator is enabled is correct. The path definitions/*.yaml (line 2) is also correct, addressing the past review concern about a non-existent crds/ directory.

packages/core/installer/templates/cozystack-operator.yaml (1)

82-90: Verify that the cozystack-operator creates the OCIRepository resource.

The PackageSource references an OCIRepository named cozystack-packages in the cozy-system namespace (lines 88-90), but this resource is not defined in any Helm template. The operator receives the platform source configuration via --platform-source-url and --platform-source-ref arguments, suggesting it may create the OCIRepository dynamically during initialization. Confirm in the operator code that this resource is created based on these initialization arguments, or document the creation mechanism.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

rg -n 'disableTelemetry' packages/core/installer/

Repository: cozystack/cozystack

Length of output: 184

---

🏁 Script executed:

cat -n packages/core/installer/values.yaml | head -50

Repository: cozystack/cozystack

Length of output: 631

---

Add disableTelemetry field to values.yaml for clarity.

The template on line 60 references .Values.cozystackOperator.disableTelemetry, but this field is not defined in values.yaml. While Helm handles missing values gracefully (treating them as falsy), adding this field explicitly with a default value (e.g., disableTelemetry: false) improves discoverability and makes the configuration option more accessible to users.

🤖 Prompt for AI Agents

In packages/core/installer/templates/cozystack-operator.yaml around lines 60 to
62, the template references .Values.cozystackOperator.disableTelemetry but
values.yaml does not declare this field; add a new entry under the
cozystackOperator section in values.yaml called disableTelemetry with a default
boolean (e.g., disableTelemetry: false) so the option is discoverable and
documented for users, and update any related README/config docs if present to
mention this new flag.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

# First, let's understand the directory structure of packages/core
fd -type d -max-depth 2 'packages/core' .

Repository: cozystack/cozystack

Length of output: 233

---

🏁 Script executed:

# List the contents of packages/core directory
ls -la packages/core/ 2>/dev/null | head -30

Repository: cozystack/cozystack

Length of output: 453

---

🏁 Script executed:

# Check if platform directory exists and look for variant values files
find packages/core -name '*isp*.yaml' -o -name 'values*.yaml' | grep -E '(isp|values)' | sort

Repository: cozystack/cozystack

Length of output: 199

---

🏁 Script executed:

# Let's also examine the cozystack-operator.yaml file to understand the full context
wc -l packages/core/installer/templates/cozystack-operator.yaml

Repository: cozystack/cozystack

Length of output: 124

---

🏁 Script executed:

# Read the specific lines from the YAML file
sed -n '92,122p' packages/core/installer/templates/cozystack-operator.yaml

Repository: cozystack/cozystack

Length of output: 797

---

🏁 Script executed:

# Also check the platform directory contents
find packages/core/platform -type f -name '*.yaml' | sort

Repository: cozystack/cozystack

Length of output: 569

---

🏁 Script executed:

# Check what's in the platform directory
ls -la packages/core/platform/

Repository: cozystack/cozystack

Length of output: 525

---

Create missing variant-specific values files in packages/core/platform/.

The PackageSource variants isp-full and isp-hosted reference overlay value files that do not exist:

• values-isp-full.yaml (line 111)
• values-isp-hosted.yaml (line 121)

These files must be created in packages/core/platform/ to support the variant configurations. Verify the structure of existing bundle files and create corresponding values overlays for each variant.

🤖 Prompt for AI Agents

In packages/core/installer/templates/cozystack-operator.yaml around lines 102 to
121 the PackageSource variants reference two missing overlay files
(values-isp-full.yaml and values-isp-hosted.yaml); create these two files under
packages/core/platform/ named exactly values-isp-full.yaml and
values-isp-hosted.yaml, model their structure after the existing values.yaml and
any other variant overlays in the repo (apply only the variant-specific
overrides required for isp-full and isp-hosted), validate YAML syntax, and add
them to the repository so the PackageSource entries resolve correctly.